No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint in ikus060/rdiffweb

Valid

Reported on

Dec 21st 2022


Description

When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails through this vulnerability which will add up to your cost as well

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Click on enable 2FA  . A verification link will be sent to your email
3) You will see a "Resend code to my email button" click on it and capture the request using the burpsuite proxy
4) Send this request to your burpsuite intuder and fire the same payload 1000 times
5) The registered email will receive 1000 email with verification codes



# Impact

An attacker can abuse this bug by :
1)Causing an impact to the user - Scenario: The user left his account open in a library , he can perform the above steps to cause an email spam
2) Adding an extra cost to the company mail server

#Please note: The previous rate limit bug was intended for /mfa endpoint and this particular report points to /prefs/mfa endpoint
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 19 days ago
Nehal Pillai
19 days ago

Researcher


POC video : https://drive.google.com/file/d/1L5mZJ7WvtCZEw0MQBEjtxMYSCkpL923i/view?usp=sharing

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 18 days ago
Patrik Dufresne validated this vulnerability 18 days ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nehal Pillai
18 days ago

Researcher


Hello sir ,

Thank you for validating this issue.

I have found this same bug through an application logic error as well.

On entering a wrong code more than 3 times , the application automatically sends/triggers a new code to the users email address.

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

Should I create another report demonstrating that issue?

Patrik Dufresne
18 days ago

Maintainer


Hello Nehal,

I've deploy a possible fix for this vulnerability in Rdiffweb Dev.

Regarding

Using this logic , if an attacker is able to provide 100000 wrong attempts, automatically on every third attempt a new email will generate and this will again cause an email flood attack.

That is not true, since we have ratelimit on the /mfa and now of the /pref/mfa an attacker will not be able to send more then 20 email per hour (this is the default rate limit).

Nehal Pillai
17 days ago

Researcher


That is true . I agree :)

Patrik Dufresne marked this as fixed in 2.5.5 with commit 6e9ee2 17 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 17 days ago
to join this conversation